Technical Team/Minutes/2019-07-23

From SPDX Wiki
Jump to: navigation, search

July 23, 2019

Attendees

  • Philippe Ombredanne
  • Steve Winslow
  • Gary O’Neall
  • Jim Hutchinson
  • Rohit Lodha
  • Tushar MIttal
  • Kate Stewart

SPDX prefixes to use in Source Files Appendix

  • General agreement that SPDX-“TagValue label” - is ok.
  • https://github.com/spdx/spdx-spec/issues/122
    • Action: Use FileCopyrightText:
  • SPDX-License-Identifer and SPDX-ConcludedLicense:
    • Philip would like to see clarification come with this that
    • SPDX-Licence-Identifer is an alias for SPDX-DeclaredLicense
  • Philippe - wondering about introducing alisas when used in files.
    • Use this as a way to recocile the two?
  • Steve - Note that its different and explain why different.
  • Which section of the SPDX can be included.
  • File section tags, make sense. Package a little higher.
  • FileComment - generator.
  • Referring to origin package.
  • Philippe - two things. Provide SPDX- prefix tags in files.
  • Some inconsistencies. Specify and see how folks use.
  • Subtle things. Missing tags at the file level. One is download URL for that file.
  • Maybe should state at file level tags with file prefix.
  • Find a way to specify.
  • Package level fields? Details of parents in child as apposed to child in parent.
  • Put files and package level information. Package level of document, go to file of document. Risk of confusion and inconsistencies. Two files side by side.
  • Both have SPDX tags insided. What happens if refer to different package?
  • Probably ok - tools should create two SPDX documents. Relations is an issue at the document level. When you assemble and collect at the file level.
  • Fields just level - makes sense, and some missing should be added.
  • Releationships/packages/etc. hard to include.
  • Hierarchy of what developers put as documentation in code, when borrow code from somewhere from code. First is to put a URL. So, adding this to file level of the specification. Download URL not part of spec at all.
  • Gary - Have to be careful of semantics of URL, made a copy vs. go to URL to download a copy. Package level could be confusing. Auditor perspective - Half to 3/4 is not the origin, copied from can’t be trusted.

Once we have the appendix. SPDX website, predigested version with examples for developers.

  • Use this tag for this purpose…. easier for developer to see.
  • Steve - specify which fields not appropriate to use.
  • Kate- Put as a table, and leave out deprecated.